Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Yahoo Slams Email Surveillance Story: Experts Demand Details

Bombshell revelations that Yahoo conducted mass email surveillance is raising hackles among legal, civil liberties and security experts that demand Yahoo and the U.S. government come clean. Meanwhile Yahoo challenged the accuracy of Tuesday’s report by Reuters.

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” Yahoo said in a statement.

The Electronic Frontier Foundation and others say the Reuters report, while incomplete, drives more distrust between US citizens, government spy agencies and one of the nation’s largest Internet companies. They assert, whatever the truth, American citizens have a constitutional right to know the truth.

“There’s still much that we don’t know at this point, but if the report is accurate, it represents a new—and dangerous—expansion of the government’s mass surveillance techniques,” said Andrew Crocker and Mark Rumold, attorneys with the EFF in a post responding to the Yahoo revelation.

Reuters reported Tuesday that last year Yahoo had created an internal program to scan “all arriving messages” to Yahoo email inboxes for “a set of characters.” According to three Reuters sources, the request was made by either the National Security Agency or the FBI. It’s also unknown what the officials were looking for.

According to the Reuters report, the surveillance program was discovered by Yahoo’s security team in May 2015. The reports claims the Yahoo security team initially believed hackers had infiltrated its system.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

If the report is true, the surveillance would be unprecedented in scope and go beyond NSA’s PRISM program, revealed by Edward Snowden in 2013, according to the EFF. “This is the first public indication that the government has compelled a U.S.-based email provider—as opposed to an Internet-backbone provider—to conduct surveillance against all its customers in real time,” it wrote.

The Yahoo surveillance program represents a troubling new twists to government surveillance, the EFF believes.

Under the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to hand over customer data to aid foreign intelligence-gathering efforts in an effort to prevent terrorist attacks and for a variety of reasons.

The EFF said the government has said these programs only “target” foreigners outside the U.S. and wouldn’t impinge on American citizens’ constitutional rights. “Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving millions of Yahoo users,” Crocker and Rumold state.

According to statements from leading Internet companies Microsoft, Twitter, Google, Facebook and Apple, the government surveillance program highlighted by Reuters appeared to single out Yahoo.

Twitter spokesperson Nu Wexler said: “We’ve never received a request like this, and were we to receive it we’d challenge it in a court. Separately, while federal law prohibits companies from being able to share information about certain types of national security related requests, we are currently suing the Justice Department for the ability to disclose more information about government requests.”

A spokesperson for Google said in a statement, “We’ve never received such a request, but if we did, our response would be simple: ‘No way’.”

“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” Microsoft said in a statement.

For its part Yahoo, reacting to the Reuters story, issued the initial statement, “Yahoo is a law abiding company, and complies with the laws of the United States.”

Still Robert Graham, a security researcher and the owner of Errata Security, says there are too few details regarding the revelations to draw solid conclusions. Unclear to Graham, based on the Reuters report, is whether Yahoo searched all incoming emails or scanned email accounts. “Did they ‘search incoming emails’ or did they ‘scan mail accounts’?” he wrote in a blog post. He asserts there are still many big details that need to be better understood.

“The story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story,” Graham said.

One of those theories posited by journalist and entrepreneur Declan McCullagh is that the Department of Homeland Security “provided Yahoo with classified malware signatures to use when scanning incoming email.

“This is very plausible. There is a lot of information sharing between government and private agencies,” said Tyler Shields, vice president of strategy at Signal Sciences, a web security firm. He explains, a government agency may have been investigating previously unknown malware used in a nation state attack, or similar. “It’s feasible that the DHS reached out to Yahoo with knowledge the malware was being used against one or many of its users. Further identifying other targets of the malware would help DHS determine the malware’s sender and authors.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.